External risk intelligence

WDR201A WiFi Extender allows attackers to take control of devices over the network

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-41922

The WDR201A WiFi Extender contains a flaw that allows an external attacker to take full control of the device without requiring login credentials. This exposes your network traffic to potential interception and enables unauthorized access to your private infrastructure.

2Halo Surface Signal

OS Command Injection

External exposure likelihood

Halo Surface Signal score for CVE-2026-41922

The WDR201A is a consumer WiFi extender typically deployed within a local area network behind a primary gateway router. While network-reachable within the local environment, these devices are not designed to be public-facing and public internet exposure is not a standard configuration, though it can occur through misconfiguration.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability exists in the WDR201A WiFi Extender that allows attackers to run commands on the device without needing to log in. This is because the device does not properly check information sent to it, creating an opportunity for malicious input. This issue is significant because it could allow unauthorized control of the device.

  • Attackers can execute arbitrary code.
  • This affects devices reachable from the internet.
  • It allows remote code execution.

Attack Path

How an attacker could exploit the issue

Unauthenticated attackers can exploit this vulnerability in the WDR201A WiFi Extender by sending specially crafted POST requests to the `wireless.cgi` binary. By injecting malicious commands into the `sz11gChannel` or `PIN` parameters, they can achieve arbitrary shell command execution on the device. This allows for remote code execution without needing any prior access or credentials.

  • Targets the `wireless.cgi` binary.
  • Exploits unsanitized POST parameters.
  • No authentication required.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows unauthenticated remote attackers to execute arbitrary shell commands on the WDR201A WiFi Extender by injecting malicious input into specific POST parameters. Such vulnerabilities are attractive to attackers because they offer a direct path to code execution without needing credentials or user interaction, enabling broad compromise of the device and potentially the network it resides on.

  • No observed exploitation in the wild.
  • Public exploit code is available.
  • Critical unauthenticated remote code execution.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Focus on identifying and blocking any network traffic targeting the WDR201A WiFi Extender on vulnerable firmware versions. Prioritize isolating any identified affected devices to prevent further exploitation, as active exploitation is likely due to the critical severity and unauthenticated remote code execution.

  • Block inbound traffic to wireless.cgi.
  • Isolate affected extenders immediately.
  • Monitor for new device connections.

Frequently asked questions

What is the WDR201A WiFi Extender?

The WDR201A WiFi Extender is a hardware device designed to increase the range of a wireless network. It is commonly used in homes and small offices to improve WiFi signal strength in areas that are too far from the main router to receive a good signal.

What type of vulnerability does CVE-2026-41922 represent for the WDR201A?

CVE-2026-41922 is an OS command injection vulnerability. This weakness allows attackers to trick the WDR201A WiFi Extender into executing their own commands, potentially leading to unauthorized control of the device by sending specially crafted input.

How can an attacker exploit the WDR201A WiFi Extender's vulnerability?

Attackers can exploit this vulnerability by sending specially crafted POST requests to the `wireless.cgi` binary. By injecting malicious commands into the `sz11gChannel` or `PIN` parameters, they can achieve arbitrary shell command execution on the device without needing any authentication.

What is the relevance of CVE-2026-41922 for the WDR201A WiFi Extender?

This vulnerability allows unauthenticated remote attackers to execute arbitrary shell commands on the WDR201A WiFi Extender. This is a critical issue because it provides a direct path for attackers to gain control of the device without credentials or user interaction, potentially leading to broader network compromise. Halo Surface Signal indicates this is unlikely to be exposed to the public internet, but misconfiguration can lead to exposure.

What steps should be taken to address the WDR201A WiFi Extender vulnerability?

It is recommended to identify and block any network traffic targeting the WDR201A WiFi Extender on vulnerable firmware versions. Immediately isolate any identified affected devices to prevent further exploitation. Monitoring for new device connections on the network is also advised.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified